KEYCLOAK-5176 Strip headers from PEM when uploading to client

This commit is contained in:
stianst 2017-12-04 15:47:35 +01:00 committed by Stian Thorgersen
parent 19cfbbf7ff
commit 4541acc628
4 changed files with 22 additions and 6 deletions

View file

@ -149,7 +149,7 @@ public final class PemUtils {
return Base64.decode(pem); return Base64.decode(pem);
} }
private static String removeBeginEnd(String pem) { public static String removeBeginEnd(String pem) {
pem = pem.replaceAll("-----BEGIN (.*)-----", ""); pem = pem.replaceAll("-----BEGIN (.*)-----", "");
pem = pem.replaceAll("-----END (.*)----", ""); pem = pem.replaceAll("-----END (.*)----", "");
pem = pem.replaceAll("\r\n", ""); pem = pem.replaceAll("\r\n", "");

View file

@ -190,6 +190,8 @@ public class ClientAttributeCertificateResource {
if (keystoreFormat.equals(CERTIFICATE_PEM)) { if (keystoreFormat.equals(CERTIFICATE_PEM)) {
String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null)); String pem = StreamUtil.readString(inputParts.get(0).getBody(InputStream.class, null));
pem = PemUtils.removeBeginEnd(pem);
// Validate format // Validate format
KeycloakModelUtils.getCertificate(pem); KeycloakModelUtils.getCertificate(pem);

View file

@ -165,6 +165,23 @@ public class CredentialsTest extends AbstractClientTest {
cert = certRsc.getKeyInfo(); cert = certRsc.getKeyInfo();
assertEquals("cert properly set", certificate2, cert.getCertificate()); assertEquals("cert properly set", certificate2, cert.getCertificate());
assertNull("privateKey nullified", cert.getPrivateKey()); assertNull("privateKey nullified", cert.getPrivateKey());
// Upload certificate with header - should be stored without header
form = new MultipartFormDataOutput();
form.addFormData("keystoreFormat", "Certificate PEM", MediaType.TEXT_PLAIN_TYPE);
String certificate2WithHeaders = "-----BEGIN CERTIFICATE-----\n" + certificate2 + "\n-----END CERTIFICATE-----";
form.addFormData("file", certificate2WithHeaders.getBytes(Charset.forName("ASCII")), MediaType.APPLICATION_OCTET_STREAM_TYPE);
cert = certRsc.uploadJks(form);
assertNotNull("cert not null", cert);
assertEquals("cert properly extracted", certificate2, cert.getCertificate());
assertNull("privateKey not included", cert.getPrivateKey());
// Get the certificate again - to make sure cert is set, and privateKey is null
cert = certRsc.getKeyInfo();
assertEquals("cert properly set", certificate2, cert.getCertificate());
assertNull("privateKey nullified", cert.getPrivateKey());
} }
@Test @Test

View file

@ -43,11 +43,7 @@ import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.authentication.AuthenticationFlowError; import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator; import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
import org.keycloak.common.constants.ServiceAccountConstants; import org.keycloak.common.constants.ServiceAccountConstants;
import org.keycloak.common.util.BouncyIntegration; import org.keycloak.common.util.*;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.common.util.Time;
import org.keycloak.common.util.UriUtils;
import org.keycloak.constants.ServiceUrlConstants; import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.events.Details; import org.keycloak.events.Details;
import org.keycloak.events.Errors; import org.keycloak.events.Errors;
@ -727,6 +723,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
} }
private static void assertCertificate(ClientRepresentation client, String certOld, String pem) { private static void assertCertificate(ClientRepresentation client, String certOld, String pem) {
pem = PemUtils.removeBeginEnd(pem);
final String certNew = client.getAttributes().get(JWTClientAuthenticator.CERTIFICATE_ATTR); final String certNew = client.getAttributes().get(JWTClientAuthenticator.CERTIFICATE_ATTR);
assertNotEquals("The old and new certificates shouldn't match", certOld, certNew); assertNotEquals("The old and new certificates shouldn't match", certOld, certNew);
assertEquals("Certificates don't match", pem, certNew); assertEquals("Certificates don't match", pem, certNew);